Hi, I wonder whether someone may be able to help me please.
I'm trying to put together a query which calculates the difference between the current date and a "Created Date". If you could have a look at the query below please, I've converted the "Created Date" to epoch time e.g. 1455700768.000000 but when I list the current date it's shown as 1456130889. So then when I try to find the difference, the query is extracting results such as 13+08:48:09.000000.
index=_audit action=edit_user operation=edit OR operation=create
| rename object as user
| stats max(timestamp) as "created" by user
| eval createddate=strptime(created, "%m-%d-%Y %H:%M:%S")
| eval testtime=now()
| eval diff = tostring((testtime - createddate), "duration")
| fields createddate testtime diff
Could someone possible look at this please and let me know where I've gone wrong and how I can calculate the difference in days between the current date and the "Created Date".
Many thanks and kind regards
Chris
↧